Homeland Security cyber czar sees challenges ahead

The criminals in cyberspace are getting more organized, but so are those fighting against them according to the Homeland Security Department's new secretary for cybersecurity and telecommunications.

In an interview with Technology Daily, Greg Garcia outlined his goals after four months on the job as the nation's first cybersecurity czar.

Garcia acknowledged that technology improvements will create bigger security challenges as much of the world's communications moves through a single, integrated Internet protocol over the next 10 years. Also, globalization of the information technology industry means more opportunities to exploit vulnerabilities along the supply chain.

"There are cost savings, productivity enhancements, but it also introduces a new level of vulnerability into our networks," said Garcia, who served as a vice president at the Information Technology Association of America and also worked for other trade associations and on Capitol Hill before taking his latest job.

Add those concerns to the current picture where the Cyber Security Industry Alliance gives government agency cybersecurity efforts a D grade, and cyber threats are growing exponentially, he said.

Reports of cyber threats to the U.S. Computer Emergency Readiness Team jumped to 23,000 incidents for 2006, up from 5,000 reported in 2005. So far this year, there have been 19,000 reports of cyber attacks.

Part of the reason is simply increased attacks, said a source working to combat the threats, but the good news is the larger number likely means that the private sector is more willing to report incidents and that companies know where to report them.

Garcia has stressed that groups that stand to lose from cyber attacks are so interdependent that they need to share information better. "We're in a partnership and that means there has to be trust," he said. "We need that trust to share information about vulnerabilities and threats."

One improvement to better monitor threats reflects the changing technology and Garcia's new role leading the response to both cyber and telecom threats as the technologies merge.

Garcia said U.S. CERT and the National Coordination Center, which monitors disruptions in the telecommunications network, soon will be housed under one roof. While he couldn't say exactly where that roof will be for security reasons, he said the timetable for the merger is "fairly soon."

Garcia said the change will strengthen information-sharing, which in turn will help Homeland Security respond to multiple cyber attacks across critical infrastructure -- one of the three broad goals Garcia has outlined.

He said he also wants to be held accountable for stronger network security among federal agencies, adding that he aims "to raise the bar for all federal agencies."

Garcia vowed to implement sector-specific infrastructure protection plans that have been gathering dust. Some 90 percent of critical infrastructure is owned by the private sector.

Part of the slow speed can be chalked up to the slower process of getting consensus on a solution rather than dictating one. Garcia sees his role as leadership, balanced by plenty of consensus, saying that the problems are too complex for his department to dictate a solution.

"We can't be in a position to say, 'thou shall do this,'" he said. "There are different business models and there are different risk profiles. So it would be impossible to devise a simple security solution for everyone."

Even if that were possible, Garcia said Homeland Security would be wise not to make tech mandates. "Innovation is something constantly evolving," he said. "Regulation does not."